GreyEnergy

Malware updated 4 months ago (2024-05-05T10:17:36.839Z)

Download STIX

Preview STIX

GreyEnergy is a type of malware, or malicious software, designed to exploit and damage computer systems. It is believed to have been used in attacks on Ukraine's power grid in 2018 by the Russia-linked Advanced Persistent Threat (APT) group, Sandworm. Security firm WithSecure has identified overlaps between GreyEnergy and another malware known as Kapeka, suggesting that they might be related. Similarly, conceptual similarities were found between GreyEnergy and its probable predecessor, BlackEnergy, which was also associated with Sandworm's cyber-attacks. The research suggests that Kapeka could be a successor to GreyEnergy, following a pattern of malware evolution within Sandworm's arsenal. Both GreyEnergy and Kapeka consist of a dropper component with an embedded main backdoor, allowing unauthorized access to infected systems. This speculation is further supported by the discovery of overlaps between Kapeka and the Prestige ransomware attacks, attributed to Sandworm, which targeted Ukraine in 2022. In conclusion, there is strong evidence pointing towards a connection between Kapeka, GreyEnergy, and the Sandworm APT group. While the two malware samples do not share the same source code, their conceptual overlaps and shared usage patterns suggest a lineage of development. This finding underscores the evolving threat posed by Sandworm and the importance of continued vigilance and research in cybersecurity.

Description last updated: 2024-05-05T10:17:06.199Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Sandworm	5	Sandworm, a Russia-linked threat actor group, has been implicated in a series of significant cyber-attacks targeting Ukraine's infrastructure. The group successfully compromised 11 Ukrainian telecommunication providers, demonstrating their extensive capabilities and the broad reach of their operatio
BlackEnergy	4	BlackEnergy is a potent malware toolkit that has been utilized by criminal and Advanced Persistent Threat (APT) actors since 2007. Its destructive capabilities were notably demonstrated in Ukraine where it was used for cyber-espionage, compromising industrial control systems, and launching attacks a

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ukraine

Backdoor

Malware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Kapeka	is related to	4	Kapeka is a previously unknown malware that operates as a backdoor into systems, linked to the Russian Sandworm Advanced Persistent Threat (APT) group. The malicious software can infiltrate a system through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, i
Prestige	Unspecified	2	Prestige is a malicious software (malware) that has been linked to several disruptive cyberattacks. In October 2022, the malware was used in ransomware attacks against Ukrainian and Polish logistics companies. These attacks were attributed to Sandworm, an advanced persistent threat (APT) group belie

Source Document References

Information about the GreyEnergy Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
InfoSecurity-magazine	5 months ago	Russian Sandworm Group Using Novel Backdoor to Target Ukraine and Allies
Securityaffairs	5 months ago	Previously unknown Kapeka backdoor linked to Sandworm APT
DARKReading	5 months ago	Dangerous New ICS Malware Targets Orgs in Russia and Ukraine
BankInfoSecurity	5 months ago	Likely Sandworm Hackers Using Novel Backdoor 'Kapeka'
ESET	2 years ago	RansomBoggs: New ransomware targeting Ukraine \| WeLiveSecurity